diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-07-15 09:49:35 +0000 |
| commit | 94486f4f3e94367a148c762648eb0c3ed84014d6 (patch) | |
| tree | 044ef51b29ced112d0791f0aa000fe39d6ffa64e /roundcubemail/program/include | |
| parent | 03cfead1d42ca546e148516fd5750af7a47ea278 (diff) | |
Use request tokens to protect POST requests from CSFR
git-svn-id: https://svn.roundcube.net/trunk@2755 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/include')
| -rw-r--r-- | roundcubemail/program/include/rcmail.php | 33 | ||||
| -rwxr-xr-x | roundcubemail/program/include/rcube_template.php | 37 |
2 files changed, 68 insertions, 2 deletions
diff --git a/roundcubemail/program/include/rcmail.php b/roundcubemail/program/include/rcmail.php index a4f44b8f4..627a8f290 100644 --- a/roundcubemail/program/include/rcmail.php +++ b/roundcubemail/program/include/rcmail.php @@ -852,6 +852,39 @@ class rcmail /** + * Generate a unique token to be used in a form request + * + * @param string Request identifier + * @return string The request token + */ + public function get_request_token($key) + { + if (!$this->request_tokens[$key]) + $_SESSION['request_tokens'][$key] = $this->request_tokens[$key] = md5(uniqid($key . rand(), true)); + + return $this->request_tokens[$key]; + } + + + /** + * Check if the current request contains a valid token + * + * @param string Request identifier + * @return boolean True if request token is valid false if not + */ + public function check_request($key, $mode = RCUBE_INPUT_POST) + { + $token = get_input_value('_token', $mode); + $valid = !(empty($token) || $_SESSION['request_tokens'][$key] != $token); + + if ($valid) + unset($_SESSION['request_tokens'][$key]); + + return $valid; + } + + + /** * Create unique authorization hash * * @param string Session ID diff --git a/roundcubemail/program/include/rcube_template.php b/roundcubemail/program/include/rcube_template.php index 382508099..a08f27309 100755 --- a/roundcubemail/program/include/rcube_template.php +++ b/roundcubemail/program/include/rcube_template.php @@ -925,7 +925,7 @@ class rcube_template extends rcube_html_page */ public function form_tag($attrib, $content = null) { - if ($this->framed) { + if ($this->framed || !empty($_REQUEST['_framed'])) { $hiddenfield = new html_hiddenfield(array('name' => '_framed', 'value' => '1')); $hidden = $hiddenfield->show(); } @@ -935,7 +935,40 @@ class rcube_template extends rcube_html_page return html::tag('form', $attrib + array('action' => "./", 'method' => "get"), - $hidden . $content); + $hidden . $content, + array('id','class','style','name','method','action','enctype','onsubmit')); + } + + + /** + * Build a form tag with a unique request token + * + * @param array Named tag parameters including 'action' and 'task' values which will be put into hidden fields + * @param string Form content + * @return string HTML code for the form + */ + public function request_form($attrib, $content) + { + $hidden = new html_hiddenfield(); + if ($attrib['task']) { + $hidden->add(array('name' => '_task', 'value' => $attrib['task'])); + } + if ($attrib['action']) { + $hidden->add(array('name' => '_action', 'value' => $attrib['action'])); + } + + // generate request token + $request_key = $attrib['request'] ? $attrib['request'] : $attrib['action']; + $hidden->add(array('name' => '_token', 'value' => $this->app->get_request_token($request_key))); + + unset($attrib['task'], $attrib['request']); + $attrib['action'] = './'; + + // we already have a <form> tag + if ($attrib['form']) + return $hidden->show() . $content; + else + return $this->form_tag($attrib, $hidden->show() . $content); } |